National Security Agency Detains Outsourced Worker for Stealing Sensitive Research Data
China's Ministry of State Security has apprehended an outsourced IT maintenance worker for allegedly downloading and providing core research data to foreign intelligence agencies. The incident highlights significant security risks associated with third-party vendors.

China's Ministry of State Security (MSS) has revealed the arrest of an outsourced IT maintenance worker accused of downloading and transferring sensitive core research data to foreign intelligence services. The case underscores the growing security concerns surrounding the outsourcing of IT operations, as more organizations rely on third-party vendors for system maintenance, data aggregation, and platform support.
The MSS cautioned that a lack of rigorous oversight has led some entities and individuals to become complacent, entrusting critical business operations, data, and permissions to service contractors without adequate safeguards. This approach, described as a "hands-off" model, can create systemic security risks. In recent years, security agencies have reported multiple cases of data leakage and loss stemming from outsourced data services, highlighting a tendency to prioritize business progress and service efficiency over robust security controls.
One specific case involved a research institution that outsourced its experimental database operations to a third-party company. The institution failed to implement essential security measures such as background checks for on-site personnel and data access logging. An outsourced maintenance worker, lured by foreign intelligence, exploited remote access privileges to download extensive core research data and exfiltrate it abroad. The worker has since been apprehended by national security authorities, and responsible parties within the research institution are facing accountability.
Other reported incidents include a company providing data services to a hospital that secretly collected over 280,000 patient records for its own database. Another case saw a public institution's website, outsourced for construction and maintenance, suffer a cyberattack and the embedding of illegal content due to the provider's failure to implement basic cybersecurity measures and patch known vulnerabilities.
The MSS identified that risks associated with "data outsourcing" commonly stem from inadequate vetting of personnel, poor access control, and a lack of closed-loop management. Chinese laws, including the Data Security Law, mandate clear contractual terms regarding data processing purposes, duration, methods, scope, and protection measures when engaging third-party service providers. The ministry emphasized that outsourcing does not absolve the outsourcing entity of its primary responsibility for data security.